from the final-up-yours-of-2013-to-the-4th-amendment dept

This one is hardly a surprise, given how many (though not all) courts have ruled concerning searches of computing devices at the border. The government's general theory is that there is no 4th Amendment right at the border, and thus customs officials can search anything. The argument that they're trying to prevent "bad stuff" from getting into the country really doesn't make much sense though. If bad stuff is "on a computer" it could easily be sent digitally across the border with no intervention from a customs official. Furthermore, making border searches of laptops and phones even more troubling is the nature of how information is stored. When we pack for a trip we deliberately choose what to include in our suitcase -- so we know what's coming with us. However, on our electronic devices, we pretty much store absolutely everything. Arguing that these are subject to a full search seems problematic -- but many courts have found otherwise.

And, now there's another one. A judge in NY has dismissed a challenge to the searches brought by the ACLU. The judge, Edward Korman, repeatedly quotes former head of Homeland Security, Michael Chertoff, who now makes money by hyping up the threats the country faces, so it's not like he's the most unbiased of folks to be relying on for how important these border searches really are. Judge Korman claims that the defendants have no standing to bring the case in the first place. There is one individual (a PhD. student) who actually had his computer searched, and then some professional organizations who worried about their members having their computers searched. The judge is simply not impressed by their arguments... at all. He notes that Customs and Border Patrol appears to search so few laptops that it's highly unlikely that any individual will have theirs searched -- and thus these groups can't really allege a likely harm. He points out that it's wrong to use a declaratory judgment case to address "a claim of alleged injury based on speculation as to conduct which may or may not occur at some unspecified future date."

As for the one guy, Pascal Abidor, who did have his laptop searched, Judge Korman is also not impressed, noting that he's not suing over that particular search, but the possibility of future searches. The judge seems a bit perplexed by this decision, but notes that it takes away his ability to get standing:

Abidor could have established standing in this case by adding a cause of action for damages based on his claim that he was subject to an unreasonable search. Such a cause of action would have provided the occasion for a trial or a motion for summary judgment that would have fully developed the record with respect to both the initial quick look search and subsequent forensic search. No such action is alleged.

But, as Judge Korman notes, if he can't show any real likelihood of future harm, he can't show standing.

Even after dismissing for lack of standing, the judge decides to take on the issue anyway, and this is where he starts to get really insulting to anyone who thinks that perhaps they should have some privacy rights at the border. He openly mocks the plaintiffs for arguing for the need for a "reasonable suspicion" standard for searches, noting that this bar is so low that it's not like they'd get much more privacy out if it anyway:

Plaintiffs must be drinking the Kool-Aid if they think that a reasonable suspicion threshold of this kind will enable them to "guarantee" confidentiality to their sources.

He goes on to suggest that since traveling internationally involves going into other countries, these same people would probably have even less privacy over their data, since other countries may be even more willing to search their computers. He even cites the situation of David Miranda having his electronics searched in the UK.

Surely, Pascal Abidor cannot be so naive to expect that when he crosses the Syrian or Lebanese border that the contents of his computer will be immune from searches and seizures at the whim of those who work for Bassar al-Assad or Hassan Nasrallah. Indeed, the New York Times recently reported on the saga of David Michael Miranda who was detained for nine hours by British authorities "while on a stop in London's Heathrow airport during a trip from Germany to Brazil."

While the judge's point is correct that other countries are unlikely to protect the privacy of travelers as well, and that means that any information on a laptop may be inherently unsafe, it seems like a bit of a weak copout to argue that since other countries have no respect for your electronic privacy, that the US shouldn't either.

He goes even further, arguing that because there's a "special need" at the border to stop bad people, that it's perfectly fine to ignore things like probable cause or reasonable suspicion -- again quoting Michael Chertoff to suggest that border laptop searches have stopped "bad people" from entering the US.

But then he argues that since everyone knows they may be searched at the border, there isn't really an invasion of privacy:

The invasion of privacy occasioned by such a border search, however, like the search of luggage, briefcases, and even clothing worn by a person entering the United States, is mitigated by other factors..... As Professor LaFave observes, because "the individual crossing a border is on notice that certain types of searchers are likely to be made, his privacy is less invaded by those searches." .... Thus, "[t]he individual traveler determines the time and place of the search by his own actions, and he thus has ample opportunity to diminish the impact of that search by limiting the nature and character of the effects which he brings with him."... Indeed, because of the large number of laptop computers (close to a million per year) that are lost by travelers--numbers that far exceed the comparative handful of laptops that are searched at the border--the sensible advice to all travelers is to "[t]hink twice about the information you carry on your laptop," and to ask themselves: "Is it really necessary to have so much information accessible to you on your computer."

This seems problematic on multiple levels. First, if we go by the idea that there's less of a privacy violation because you know it's coming, then that gives the government the right to ignore the 4th Amendment so long as it tells you ahead of time that it's going to ignore the 4th Amendment. Even the Supreme Court in Smith v. Maryland -- the infamous case concerning the 3rd party doctrine -- states that such a scenario is ridiculous, and that just because you know that you're going to be searched, it doesn't automatically make the search reasonable.

As for the suggestion that you shouldn't store stuff on your computers, I'm sure that's great in theory, but I'd like judges to make decisions based in reality. This suggestion is basically "don't use your computer for what it's designed for, because we might search it." That's not exactly compelling.

Again, given past precedents, and the specific facts of this case, it's not entirely surprising. That doesn't mean it's not disappointing to see yet another middle finger given to the 4th Amendment to close out the year.

from the urls-we-dig-up dept

We trust automated solutions to perform all kinds of critical tasks, but how often do we verify that we're actually getting the right results? We survived the Y2K bug, but there are plenty of other examples of software and hardware flaws that could be much more (deadly) serious. Here are just a few disturbing computer glitches that you might have missed.

from the this-again? dept

You would think after last year's attention-grabbing lawsuit about the Lower Merion School district using some surreptitious monitoring software to activate webcams and snap photos of kids at home that others would be a lot more careful about their use of such software. After all, the school district ended up having to pay out $610,000 to settle the lawsuit filed against it.

However, in a similar story, a Wisconsin couple has apparently sued Aaron's Inc. for spying on them. Aaron's is a giant "rent-to-own" retailer, offering furniture, electronics and computers on a rent-to-own basis. In this case, the couple had rented a Dell laptop from the company, and later discovered that it had sneaky monitoring software on it which they were unaware of... but which was used to turn on the laptop's webcam and take pictures of the family without them knowing about it.

The only way they found out was that a store manager came to take back the computer, incorrectly believing the couple had not paid their bill (they had). When he showed up, he showed them a photo he had, which was taken from the webcam, which (understandably) freaked out the couple. They asked him how he got the photo, and his response was that he wasn't supposed to show them the photo. Well, that's comforting. Apparently, the product that was used to do this monitoring was hardware based as well, meaning that it couldn't be detected or turned off via software.

The couple and their lawyers are seeking to turn this into a class action for all renters of computers from Aaron's that have this tracking technology. Also, the couple contacted the police, who apparently still have the computer, so I guess there's at least some review of whether or not this is a criminal matter. The AP article (linked in the paragraph above) has a short discussion on whether or not this effort violated either ECPA or the CFAA:

Two attorneys who are experts on the relevant computer privacy laws, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, said it's difficult to tell if either was broken, though both agree the company went too far.

Peter Swire, an Ohio State professor, said using a software "kill switch" is legal because companies can protect themselves from fraud and other crimes.

Further, Swire said the Computer Fraud and Abuse Act "prohibits unauthorized access to my computer over the Internet. The renter here didn't authorize this kind of access."

Fred Cate, an information law professor at Indiana University agrees that consent is required but said the real question might be: "Whose consent?"

It's no secret that both ECPA and CFAA have their problems, but it seems like this might be the type of case that those laws were more designed to cover -- though, that definitely depends on some of the details which haven't come out yet.